All Posts in Policies and Procedures

|In: Industry Commentary|Last Updated:

Are you as tired as I am of movie and television series plots that revolve around super-hackers and super-counter-hackers?

It was bad enough when a bad guy sat down, cracked his (or, less commonly, her) knuckles, started typing, and five seconds later told the uber-bad-guy (no, not a tailgating ride-share-driver), “I’m in!” (Fair’s fair: In the first Die Hard movie the hacker needed a more reasonable hour or so.)

If you’re working on a hacking-related script, please: Have the bad-guy-hacker open a desk drawer, pull out a Post-It®, and type in the password written there. While in the real world this isn’t a reliable method … in a typical office the hacker would have to visit at least five desks … it would at least be plausible.

Accuracy would depict the hacker sending out a spear phishing attack, but I’ll make a concession, given that, unlike your average caper movie, in a hacker plot the process isn’t the point.

Which (in admittedly slow motion) gets us closer to the point of this week’s epistle. But to get there … my wife and I were catching up on a couple of television shows we enjoy. Both of their plots, back to back, were based on ransomware attacks. And no, I’m not going to identify the shows. My guilty pleasures are none of your business.

What is your business is protecting your organizations from ransomware attacks. On a pain scale of one to ten, where one is your level of discomfort following a vaccination and ten is what you experience during an anesthetic-free amputation, these rate about twelve.

What’s most shocking about the ransomware epidemic, both on television and in the real virtual world (now, now, don’t be like that!) is that they are, so far as I can tell, both more preventable and remediable than your typical write-up on the subject would suggest.

But only if you’ve prepared.

What follows are a few basics to get you started. Most are steps you should have taken even before ransomware became prevalent. Next week we’ll dig deeper.

Data can’t be infected. Data can be encrypted, making it inaccessible, which is what ransomware does. But except for macro viruses, data can’t be infected, because … it’s data, not executable. So make sure all of your data resides on different physical servers than your executables. That’s physical, not just virtual.

More important, make sure all of your data backups are read-only, managed by different, air-gapped physical servers.

More important yet, take frequent snapshots and preserve all journal files and change logs for an excessive period of time.

Ransomware discontinues business operations. So include recovery from a ransomware attack in your business continuity plan. Additional thoughts about this:

  • If you have two overlapping recovery plans to keep synchronized, they won’t stay synchronized.
  • Know how you’ll continue business operations during a ransomware attack. Improvisation after you’ve been attacked is considered industry worst practice.
  • As with the rest of your business continuity plan, an untested ransomware recovery plan isn’t a plan, just wishful thinking.
  • Hope wasn’t a plan before ransomware became a threat. It’s even more not a plan now.

Reinstall. Make sure you can reinstall, not only applications, but also the platforms they run on. Document every procedure required to rebuild every piece of your production environment, starting with the original installation files. That’s the only way you can be confident you aren’t recovering ransomware executables in your attempts to restore an uncompromised production environment.

Cloud due diligence. Review your cloud vendors’ ransomware recovery plans and make sure they’re up to your standards, especially with respect to data protection. Consider adding on-site, read-only, snapshotted, air-gapped data backups to your cloud architecture.

Bob’s last word: In addition to making sure you have a professional-grade ransomware response plan, rationalize your application and platform portfolios. If you do have to recover from a ransomware attack, recreating the production environment is polynomially simpler in organizations that have consolidated redundant applications and platforms, and whose platforms are sufficiently current that reinstallation will work.

Bob’s sales pitch: I don’t claim to be an expert on this subject (thanks to Mike Benz, who is, for reviewing it).

This isn’t intended to be either gospel or complete. Consider it a nudge, and guidance on where to start digging. If you haven’t been taking this threat seriously … take this threat seriously. It’s shocking how many IT organizations have succumbed to ransomware attacks with little or no preparation. The pandemic-level growth of these attacks is even more shocking, and we’re still at the pre-vaccine stage of dealing with it.

Safe behavior is the best defense. Make sure you’re practicing it.

Comments

|In: Policies and Procedures|Last Updated:

It’s time to revisit … or maybe just visit … your COVID-19 vaccination policy.

If you’re about to express your indignation about bringing politics into Keep the Joint Running, don’t. As has been pointed out in this space before, propositions that have been politicized are not necessarily propositions that are political.

Example: 98.9% of all COVID-19 cases that have resulted in mortality or hospitalization were contracted by unvaccinated individuals.

Just in case you’re having trouble classifying this statement, it is not political.

And it does suggest the text of what should be your COVID-19 vaccination policy:

All employees who:

  • Enter our facilities …
  • Enter a client’s facilities …
  • Perform any of their responsibilities face-to-face with colleagues regardless of location …

… must be fully vaccinated. Refusal to comply with this policy can result in termination or reassignment to a position all of whose duties can be performed remotely. If the result is reassignment the company reserves the right to adjust compensation to make it commensurate with the new position’s pay structure.

This policy applies to all employees and contractors, other than those who can perform all work remotely.

Understand, I’m among those who consider the quintessential element of American culture is that we’re all free to pretty much go to hell however we’d like. But I’m also among those who agree with John B. Finch that, “… your right to swing your arm leaves off where my right not to have my nose struck begins.”

But neither of these propositions is the driving force behind this vaccination policy.

The driving force is your responsibility as an employer to provide safe working conditions for everyone who works in your facilities. Every unvaccinated employee, even those wearing masks, constitutes a preventable hazard to every employee they come in contact with.

That includes vaccinated employees. While the approved vaccines have proven extraordinarily effective, in risk management terms they don’t prevent the disease perfectly. What they do is prevent it well and mitigate its effects among those who contract the virus.

So exposing even fully vaccinated employees to unvaccinated ones endangers them.

Another popular objection to mandatory vaccination is that the risks of vaccination aren’t known.

This is accurate, in the same sense that you don’t know if a piece of software you’ve relied on for the past year has undetected vulnerabilities. In both cases your confidence is limited to how well you know what risks to look for, and your ability to look for them.

What we know about the COVID-19 vaccines’ risks is that they are miniscule.

What we know about COVID-19’s risks is that the disease’s symptoms include death, severe debilitation, and months of everything you eat tasting like cardboard.

Requiring employees to be vaccinated doesn’t put them at risk. On balance it reduces their net risk.

But …

Employers are accustomed to having most of the power in their relationship with their employees, and if that’s your situation a policy such as the one recommended here might be workable.

But right now you have to strike a balance, because there’s a pretty good chance you have some otherwise valuable employees who, for one reason or another, refuse to be vaccinated.

So even if you like the policy I’ve described here, you’ll probably have to soften it to accommodate them.

Bob’s last word: If you’re concerned that a policy like this might create the impression that you’re endorsing a political party or governing philosophy, be reassured: even Fox Corporation has instituted a form of “vaccine passport.”

Regardless, please share your thoughts, and even better your company’s vaccination policy, with the KJR community by way of the Comments.

Bob’s sales pitch: On an entirely different subject, if you’re interested how to make IT process improvement initiatives successful, check out my most recent article on CIO.com: “The hard truth about IT process success.”

Comments